Abracadabra Suffers Third DeFi Exploit As Hackers Drain $1.7 million

DeFi project Abracadabra has suffered a fresh exploit that drained about $1.7 million from its platform.

Blockchain security firm Go Security flagged the breach on October 4 and confirmed that attackers had already laundered about 51 ETH through Tornado Cash. At the time of reporting, the attacker’s wallet (identified as 0x1AaaDe) still held around 344 ETH, worth approximately $1.55 million.

How Abracadabra Was Exploited for the Third Time

Security researcher Weilin Li verified the exploit and explained that the attacker manipulated Abracadabra’s smart contract variables to bypass a solvency check.

This allowed them to borrow assets beyond the intended limit, prompting Abracadabra’s team to pause all contracts to prevent further losses.

Another blockchain audit firm, Phalcon, traced the root cause to a faulty logic sequence in the platform’s cook function. This is a mechanism that lets users execute several predefined actions in one transaction.

.@MIM_Spell was attacked hours ago, resulting in a loss of ~$1.7M. The root cause stems from the flawed implementation logic of the cook function, which allows users to execute multiple predefined operations in a single transaction. Specifically, the actions share a common… pic.twitter.com/4tQzkRbwcT

— BlockSec Phalcon (@Phalcon_xyz) October 4, 2025

According to the firm, the attacker carried out two operations that overrode key safeguards.

The first, known as action 5, initiated a borrowing process that was supposed to pass solvency checks. The second, called action 0, acted as an empty update function that rewrote the check flag and skipped the final validation step.

The attacker drained more than 1.79 million MIM tokens by repeating this pattern across six different addresses.

As of press time, Abracadabra has yet to comment publicly on the incident. Notably, the project’s official X account has remained silent since early September.

However, Go Security reported that the Abracadabra team confirmed on Discord that it would use DAO reserve funds to repurchase the affected MIM supply.

🚨 GoPlus Security Alert: The lending and stablecoin platform Abracadabra ( $SPELL ) appears to have been attacked again, with losses of approximately $1.77 million. Its official Twitter account @MIM_Spell has not been updated since September 9.Attacker Address:… pic.twitter.com/IjECKsOCWX

— GoPlus Security 🚦 (@GoPlusSecurity) October 5, 2025

Meanwhile, if verified, the latest incident would mark the third exploit against Abracadabra in under two years.

In January 2024, the platform lost $6.49 million in a hack that briefly depegged the MIM stablecoin from the US dollar. A second exploit in March 2025 drained another $13 million from its cauldron contracts, after which the team offered the hacker a 20% bounty.

The recurrence of such breaches raises renewed questions about the security of the DeFi protocol and the sustainability of its cross-chain lending architectures.